Question about Open SSL 1.0.2 series compatibility

Fox, Shawn D (US) shawn.fox at baesystems.com
Thu Dec 7 18:22:41 UTC 2023


Yes the idea is to get our customers off of RHEL7, but we have to get our software working on RHEL8 first.  We will have some overlap where we release SW that runs on either by producing two different sets of binaries.  We’ll have to wait until our customers agree that we can stop building releases for RHEL7.

We do link to the dynamic libraries which I didn’t mention before and  when we setup our execution environment we do update LD_LIBRARY_PATH.  I would think that would resolve conflicts as the applications would then find our custom installation of openssl first. We have done something similar on RHEL7 using a slightly older version than what RHEL7 has installed to the system and that worked so I hoped that building v1.0.2u would be possible. I’m trying to find a least common denominator that will work on RHEL7 and RHEL8 until we can move on from RHEL7.

The function PEM_read_X509 seems to be the root my issue.  On RHEL8 it doesn’t populate the out parameter the same way and it results in a downstream seg fault.  I have not been able to find where that function is defined.  I used grep on the openssl code and couldn’t find a function definition to read.  If anyone could help me understand why that is, I would appreciate it.  It doesn’t look like a MACRO but perhaps it is exported from somewhere but I cannot find the function implementation so that I can read the code and figure out how to debug it.  I’ve built openssl with debug symbols, and I cannot step into that function with ‘gnu ddd’ nor can I figure out how to navigate to the function implementation.

Thanks,
Shawn Fox

From: Kenneth Goldman <kgoldman at us.ibm.com>
Sent: Thursday, December 7, 2023 6:07 AM
To: Fox, Shawn D (US) <shawn.fox at baesystems.com>; openssl-users at openssl.org
Subject: RE: Question about Open SSL 1.0.2 series compatibility

My understanding is that openssl does not guarantee binary compatibility at major releases.

A big value-add of the distros like RHEL is that they recompile everything and guarantee that it all works.  Replacing with a custom openssl, or any other system library, will probably break applications.

I would try either static link to your old version or link to a local old version, but not install openssl in the system area.

The ideal solution would be to get your customers off RHEL7, which was end of life 3 years ago, but you may have no choice.

From: openssl-users <openssl-users-bounces at openssl.org<mailto:openssl-users-bounces at openssl.org>> On Behalf Of Fox, Shawn D (US) via openssl-users
Sent: Wednesday, December 6, 2023 7:34 PM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: [EXTERNAL] Question about Open SSL 1.0.2 series compatibility

I’m supporting a project that has been using the openssl 1. 0. 0 series built for RHEL7 for some time now. OpenSSL 1. 1. 1 has breaking API changes, so I’ve built OpenSSL 1. 0. 2u for starters in order to upgrade to that version first,

I’m supporting a project that has been using the openssl 1.0.0 series built for RHEL7 for some time now.  OpenSSL 1.1.1 has breaking API changes, so I’ve built OpenSSL 1.0.2u for starters in order to upgrade to that version first, but I am building for both RHEL7 and RHEL8.  I have a couple of questions that I haven’t found answers for searching the web yet.

Is OpenSSL 1.0.2 compatible with native apps built for RHEL8?  Although it might not be ideal can it work on RHEL8?  I’ve built it on RHEL8 and I have used the openssl binary to read some cert files with the x509 sub-command, and it seems to produce the same results on RHEL7 and RHEL8 using the program from within bash shell.  That leads me to believe that I should be able to link a native c++ app with openssl 1.0.2u and run that on RHEL8 successfully.

Is OpenSSL 1.1.1 compatible with RHEL7?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231207/d1c998b0/attachment.htm>


More information about the openssl-users mailing list